SIMM 55 FAQs – Information Technology Cost Report

Since tabs 1-4 are reported in actual dollar amounts, tabs 5 and 6 should be reported in actual dollar amounts as well to be more consistent and user-friendly.

AB 137 (11546.45) is a new legislative mandate that requires California Department of Technology to collect state entities’ existing information technology service contracts to identify the services that would be appropriately centralized as shared services contracts.

For tab 6, we are only asking for FY 2021-2022 because we only want actual encumbrances. We do not want FY 2022-2023 estimates as we normally do with the rest of the IT Cost Report.

IT services and systems contracts means contracts for services and systems, including, but not limited to, cloud services, including “Software as a Service”, “Infrastructure as a Service”, and “Platform as a Service”, on-premises services and systems, IT personal services, and IT consulting services.

An IT service or system is considered a high-risk, critical IT service or system if the disclosure of that record would reveal vulnerabilities to an information system of a public agency. In other words, would disclosure of this procurement reveal vulnerabilities or increase the potential for an attack on an IT system of a public agency?

All IT costs are captured in tab 5 under the 8 categories and any IT systems and services contracts that are over $500,000 are captured on tab 6. The intent of the two tabs is different. Tab 5 provides the overall IT spend, while tab 6 provides contracts over $500,000 so we can determine which services or licenses could be converted into enterprise licenses.

Report PO/contracts that are $500,000 or more and report any IT spend that is $500,000 or more annually for a particular product/service. For example, if you have one contract for Manufacturer X for $550,000, you report it. In addition, if you have 5 separate POs (each $100K) from different resellers, but all are the same product/service from Manufacturer X, you report those as well.

For multi-year contracts, provide the encumbrance amounts by fiscal year and not the full contract amount for the PO/contract.

You will report for the whole department that had contracts where spend was $500,000 or more for IT systems and services.

No, you do not need to break out the costs for IT services. Report the whole contract that is a combination of hardware and IT services. We asked to exclude hardware because we don’t need it but if IT services are included in those contracts, you can report the whole contract.

According to the FI$Cal chart of accounts, personal services are classified as salaries and wages. Consulting and professional services are classified as operating expense and equipment. A contract would not be split between consultant salaries and consultant services. The costs would be reported as one complete contract.

The state wants to evaluate total spend on Cloud Services (Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)). The Cloud Services category was added to capture this spend separate from other categories since Cloud Services were previously reported as a subset of other categories. Most departments will not have itemized security costs associated with Cloud Services so detailed security spend is not needed. However, if your department does have itemized security costs, you may report it, but this is optional.

Subscription cost for software hosted on-prem/onsite should be reported under the Software line item and subscription cost for SaaS/cloud accessed applications should be reported under the Cloud Services line item.

In previous years, the template was only calculating the general IT total. The new total rows for security are designed to automatically calculate the security totals to ensure accuracy.

The Network and Telecomm Costs columns were added so the summarized totals correspond with the Network and Telecomm IT security cost totals in tab 5.

February 1st is the legislative deadline, which helps the legislature figure out the budget for the upcoming fiscal year.

The tabs are in order to progress from the most detailed (tabs 1-2; tabs 3-4) to the least detailed spend (tab 5). For example, tab 1 requires the most data, tab 2 pulls data from tab 1, and tab 5 summarizes the total spend.

The rows are color coordinated to differentiate between security IT (orange) and general IT (blue) spend.

All IT project costs, including staff, one-time and ongoing maintenance should be reported in SIMM 55-B.

Yes, include all IT cost information whether an Agency/state entity’s IT is centralized or not.

Per the instructions in SIMM 55, departments should report the total number and costs associated with mobile phones and all costs associated to mobile phones and their respective, data internet and other usage plans.

Additionally, the requirement to report Mobile Phones in the IT Cost Report only applies to devices that meet the definition of a Mobile Phone as identified in SIMM 55. Mobile computing devices with the capability to connect to a cellular network, such as wireless hotspots, do not meet this definition and should not be included in “Mobile Phone” line item of the IT Cost Report. Only mobile phone purchases that access the cellular network for voice and data and comply with the definition of a mobile phone should be added to this line item.

If security is the primary purpose of the purchase, report the cost in the sub-category “Hardware, IT Security”, if not, then report the expense under “Hardware”.

Report under the Network Security domain, any devices whose primary purpose is to protect computers and computer networks from attack and infiltration. Typical costs are firewalls, Next Generation Firewalls (NGFW), Network Intrusion Detection and Prevention (NIDS and NIPS), Virtual Private Networking (VPN), Hardware Security Modules (HSM) Proxy Servers, and Unified Threat Management (UTM).

For this year’s report, include incurred costs whether for the direct benefit of your department and/or other departments that receive your services. Notate in the comments section the departments, Boards and Commissions who receive security services through that spend.

For Personnel PY Costs on the IT Security Spend Allocation worksheet, report only staff whose primary responsibilities are IT Security.

• IT Security Contractor Personnel costs are for contractors who are on-site performing security related duties as their primary duties. These may include network monitoring, security hardware maintenance, patching or other security related duties.
• IT Security Services are costs for outsourced services such as monitoring and/or managing security devices, remote or subscription-based monitoring, management of firewalls and advisory services that analyze and improve security strategy and operations. Report the cost of independent security assessments and information security audits in IT Security Services.
• IT Security Consulting costs include consulting services used for purposes such as developing a departmental security plan or consulting to develop security technology strategies and implementation.

Report all costs in the year incurred. Notate in the comments that costs are a multi-year expense and include the number of years.

CDT tracks ‘New’ investment versus ‘Renewal/maintenance’ (ongoing costs) to have a better understanding of investments within each category and their relationship to performance trends overtime.

Contact ITPolicy and we will provide an updated template with additional rows.